Secure Rtp; Recommended Practices - AudioCodes Mediant 2000 User Manual
Mgcp, megaco, tpncp voip mediant media gateways
Hide thumbs
Also See for Mediant 2000:
- User manual (702 pages) ,
- Installation manual (44 pages) ,
- Hardware installation manual (30 pages)
Table of Contents
Advertisement
User's Manual
18.6.2
Secure RTP
The Mediant 2000 supports Secure RTP (SRTP) as defined in RFC 3711. SRTP
provides confidentiality, message authentication, and replay protection to the RTP &
RTCP traffic.
Key negotiation is not part of SRTP. Instead, the Mediant 2000 assumes higher-level
protocols handle key management.
Specifications:
Encryption - AES 128 in Counter Mode
Authentication - HMAC-SHA1
Support of Key Derivation
Key management is provided via VoPLib API, MGCP and MECAGO
The VoPLib API may be used over the network (TPNCP protocol). Media security over
TPNCP should be used with caution, since the TPNCP connection itself is not
encrypted, and sniffing techniques may be used to obtain the session key. The same
is applicable for TGCP connections. Physical security is required to make sure the
softswitch connection is protected from unauthorized sniffing.
Note :
For further information regarding the VoPLib API, consult the "VoPLib API Reference
Manual", Document #: LTRT-840xx.
18.7
Recommended Practices
To improve network security, the following guidelines are recommended when
configuring the Mediant 2000:
Set the management password to a unique, hard-to-guess string. Do not use the
same password for several devices, as a compromise of one may lead to the
compromise of others. Keep this password safe at all times, and change it
frequently.
If possible, use a RADIUS server for authentication. RADIUS allows you to set
different passwords for different users of the Mediant 2000, with centralized
management of the password database. Both Web and Telnet interfaces support
RADIUS authentication.
Use IPSec to secure traffic to all management and control hosts. Since IPSec
encrypts all traffic, hackers cannot capture sensitive data transmitted on the
network, and malicious intrusions are severely limited.
Use HTTPS when accessing the Web interface. Set HTTPSONLY=1 to allow only
HTTPS traffic (and block port 80). If you don't need the Web interface, disable the
Web server.
If you use Telnet, do not use the default port (23). Use SSL mode to protect
Telnet traffic from network sniffing.
If you use SNMP, do not leave the community strings at their default values, as
Version 5.0
Using media security reduces the channel capacity of the device.
449
18. Appendix - Security
June 2006
Advertisement
Table of Contents
